CVE-2025-8277 LOW

CVE-2025-8277: Libssh: memory exhaustion via repeated key exchange in libssh

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-401
Published September 9, 2025
Last update May 19, 2026

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.

Key dates

02Disclosure timeline

September 9, 2025 CVE published
May 19, 2026 Record updated

Related vulnerabilities

04Related CVE